1OC ADM POLICY(1)                   June 2016                  OC ADM POLICY(1)
2
3
4

NAME

6       oc  adm  policy  add-cluster-role-to-user - Add a role to users for all
7       projects in the cluster
8
9
10

SYNOPSIS

12       oc adm policy add-cluster-role-to-user [OPTIONS]
13
14
15

DESCRIPTION

17       Add a role to users or service accounts across all projects
18
19
20       This command allows you to grant a user access  to  specific  resources
21       and actions within the cluster, by assigning them to a role. It creates
22       or modifies a ClusterRoleBinding referencing the specified ClusterRole,
23       adding  the  user(s) or serviceaccount(s) to the list of subjects. This
24       command does not require that the matching cluster  role  or  user/ser‐
25       viceaccount  resources  exist  and will create the binding successfully
26       even when the role or user/serviceaccount do not exist or when the user
27       does not have access to view them.
28
29
30       If  the  --rolebinding-name  argument  is supplied, it will look for an
31       existing clusterrolebinding with that name. The role  on  the  matching
32       clusterrolebinding MUST match the role name supplied to the command. If
33       no rolebinding name is given, a default name will be used.
34
35
36       To learn more, see information about RBAC and policy, or use the  'get'
37       and  'describe'  commands  on  the following resources: 'clusterroles',
38       'clusterrolebindings', 'roles', 'rolebindings', 'users', 'groups',  and
39       'serviceaccounts'.
40
41
42

OPTIONS

44       --allow-missing-template-keys=true
45           If  true, ignore any errors in templates when a field or map key is
46       missing in the template. Only applies to  golang  and  jsonpath  output
47       formats.
48
49
50       --dry-run=false
51           If  true, only print the object that would be sent, without sending
52       it.
53
54
55       --no-headers=false
56           When using the default or custom-column output format, don't  print
57       headers (default print headers).
58
59
60       -o, --output=""
61           Output  format. One of: json|yaml|wide|name|custom-columns=...|cus‐
62       tom-columns-file=...|go-template=...|go-template-file=...|json‐
63       path=...|jsonpath-file=...   See   custom   columns   [  ⟨http://kuber‐
64       netes.io/docs/user-guide/kubectl-overview/#custom-columns⟩],     golang
65       template   [  ⟨http://golang.org/pkg/text/template/#pkg-overview⟩]  and
66       jsonpath template [ ⟨http://kubernetes.io/docs/user-guide/jsonpath⟩].
67
68
69       --rolebinding-name=""
70           Name of the rolebinding to modify or create. If left empty  creates
71       a new rolebindo.RoleBindingNameg with a default name
72
73
74       -z, --serviceaccount=[]
75           service account in the current namespace to use o.SANamess a user
76
77
78       --show-labels=false
79           When  printing,  show  all  labels as the last column (default hide
80       labels column)
81
82
83       --sort-by=""
84           If non-empty, sort list types using this field specification.   The
85       field  specification  is  expressed  as  a  JSONPath  expression  (e.g.
86       '{.metadata.name}'). The field in the API resource  specified  by  this
87       JSONPath expression must be an integer or a string.
88
89
90       --template=""
91           Template  string  or  path  to template file to use when -o=go-tem‐
92       plate, -o=go-template-file. The template format is golang  templates  [
93       ⟨http://golang.org/pkg/text/template/#pkg-overview⟩].
94
95
96

OPTIONS INHERITED FROM PARENT COMMANDS

98       --allow_verification_with_non_compliant_keys=false
99           Allow  a  SignatureVerifier  to  use  keys  which  are  technically
100       non-compliant with RFC6962.
101
102
103       --alsologtostderr=false
104           log to standard error as well as files
105
106
107       --application_metrics_count_limit=100
108           Max number of application metrics to store (per container)
109
110
111       --as=""
112           Username to impersonate for the operation
113
114
115       --as-group=[]
116           Group to impersonate for the operation, this flag can  be  repeated
117       to specify multiple groups.
118
119
120       --azure-container-registry-config=""
121           Path  to the file containing Azure container registry configuration
122       information.
123
124
125       --boot_id_file="/proc/sys/kernel/random/boot_id"
126           Comma-separated list of files to check for boot-id. Use  the  first
127       one that exists.
128
129
130       --cache-dir="/builddir/.kube/http-cache"
131           Default HTTP cache directory
132
133
134       --certificate-authority=""
135           Path to a cert file for the certificate authority
136
137
138       --client-certificate=""
139           Path to a client certificate file for TLS
140
141
142       --client-key=""
143           Path to a client key file for TLS
144
145
146       --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
147           CIDRs opened in GCE firewall for LB traffic proxy  health checks
148
149
150       --cluster=""
151           The name of the kubeconfig cluster to use
152
153
154       --container_hints="/etc/cadvisor/container_hints.json"
155           location of the container hints file
156
157
158       --containerd="unix:///var/run/containerd.sock"
159           containerd endpoint
160
161
162       --context=""
163           The name of the kubeconfig context to use
164
165
166       --default-not-ready-toleration-seconds=300
167           Indicates   the   tolerationSeconds   of   the    toleration    for
168       notReady:NoExecute  that is added by default to every pod that does not
169       already have such a toleration.
170
171
172       --default-unreachable-toleration-seconds=300
173           Indicates the tolerationSeconds  of  the  toleration  for  unreach‐
174       able:NoExecute  that  is  added  by  default to every pod that does not
175       already have such a toleration.
176
177
178       --docker="unix:///var/run/docker.sock"
179           docker endpoint
180
181
182       --docker-tls=false
183           use TLS to connect to docker
184
185
186       --docker-tls-ca="ca.pem"
187           path to trusted CA
188
189
190       --docker-tls-cert="cert.pem"
191           path to client certificate
192
193
194       --docker-tls-key="key.pem"
195           path to private key
196
197
198       --docker_env_metadata_whitelist=""
199           a comma-separated list of environment variable keys that  needs  to
200       be collected for docker containers
201
202
203       --docker_only=false
204           Only report docker containers in addition to root stats
205
206
207       --docker_root="/var/lib/docker"
208           DEPRECATED:  docker  root is read from docker info (this is a fall‐
209       back, default: /var/lib/docker)
210
211
212       --enable_load_reader=false
213           Whether to enable cpu load reader
214
215
216       --event_storage_age_limit="default=24h"
217           Max length of time for which to store events (per type). Value is a
218       comma  separated  list  of  key  values, where the keys are event types
219       (e.g.: creation, oom) or "default" and the value is a duration. Default
220       is applied to all non-specified event types
221
222
223       --event_storage_event_limit="default=100000"
224           Max  number  of  events to store (per type). Value is a comma sepa‐
225       rated list of key values, where the keys are event  types  (e.g.:  cre‐
226       ation,  oom)  or  "default"  and  the  value  is an integer. Default is
227       applied to all non-specified event types
228
229
230       --global_housekeeping_interval=0
231           Interval between global housekeepings
232
233
234       --housekeeping_interval=0
235           Interval between container housekeepings
236
237
238       --insecure-skip-tls-verify=false
239           If true, the server's certificate will not be checked for validity.
240       This will make your HTTPS connections insecure
241
242
243       --kubeconfig=""
244           Path to the kubeconfig file to use for CLI requests.
245
246
247       --log-flush-frequency=0
248           Maximum number of seconds between log flushes
249
250
251       --log_backtrace_at=:0
252           when logging hits line file:N, emit a stack trace
253
254
255       --log_cadvisor_usage=false
256           Whether to log the usage of the cAdvisor container
257
258
259       --log_dir=""
260           If non-empty, write log files in this directory
261
262
263       --logtostderr=true
264           log to standard error instead of files
265
266
267       --machine_id_file="/etc/machine-id,/var/lib/dbus/machine-id"
268           Comma-separated  list  of  files  to  check for machine-id. Use the
269       first one that exists.
270
271
272       --match-server-version=false
273           Require server version to match client version
274
275
276       -n, --namespace=""
277           If present, the namespace scope for this CLI request
278
279
280       --request-timeout="0"
281           The length of time to wait before giving  up  on  a  single  server
282       request. Non-zero values should contain a corresponding time unit (e.g.
283       1s, 2m, 3h). A value of zero means don't timeout requests.
284
285
286       -s, --server=""
287           The address and port of the Kubernetes API server
288
289
290       --stderrthreshold=2
291           logs at or above this threshold go to stderr
292
293
294       --storage_driver_buffer_duration=0
295           Writes in the storage driver will be buffered  for  this  duration,
296       and committed to the non memory backends as a single transaction
297
298
299       --storage_driver_db="cadvisor"
300           database name
301
302
303       --storage_driver_host="localhost:8086"
304           database host:port
305
306
307       --storage_driver_password="root"
308           database password
309
310
311       --storage_driver_secure=false
312           use secure connection with database
313
314
315       --storage_driver_table="stats"
316           table name
317
318
319       --storage_driver_user="root"
320           database username
321
322
323       --token=""
324           Bearer token for authentication to the API server
325
326
327       --user=""
328           The name of the kubeconfig user to use
329
330
331       -v, --v=0
332           log level for V logs
333
334
335       --version=false
336           Print version information and quit
337
338
339       --vmodule=
340           comma-separated  list  of pattern=N settings for file-filtered log‐
341       ging
342
343
344

SEE ALSO

346       oc-adm-policy(1),
347
348
349

HISTORY

351       June 2016, Ported from the Kubernetes man-doc generator
352
353
354
355Openshift                  Openshift CLI User Manuals         OC ADM POLICY(1)